DISA Releases Guide For Buying Commercial Cloud Services

The Defense Information Systems Agency last week released the first version of a new best practices guide for Defense Department agencies responsible for purchasing commercial cloud services. It is the first major cloud guidance issued by DISA since December when Defense Department Chief Information Officer Terry Halvorsen stripped the agency of its central cloud service provider role.

From the outset, however, DISA makes it clear that the new guidance is not official Defense Department policy. Rather, it is a collection of best practices gained from several DOD cloud pilot projects.

“This Best Practices Guide (BPG) is NOT DoD Policy, DISA Policy, a Security Requirements Guide (SRG), or a Security Technical Implementation Guide (STIG),” the document states. “It is a collection of Best Practices discovered during the DoD CIO Cloud Pilots effort for the benefit of the DOD Community.”

The 23-page guide covers everything from the basics of how cloud service providers employ and define metered compute and bandwidth resources, to more complex topics like Classless Inter-Domain Routing and considerations for deploying SQL Server and Linux operating systems to virtual machines. It also focuses heavily on security, as DISA retained its central authority in the security authorization process for commercial cloud services under the new Defense Department cloud policy.

You can download and read the new guide, Best Practices Guide for DOD Cloud Mission Owners, here.